TOR Hidden Services

[Adam Brown]

I just found out about Sandstorm and I'm trying to wrap my head around a few of the details. 

There are lots of various services that I've been working on that I think can benefit from Sandstorm. One, in particular, is setting up a Tor Hidden Service host. Tor Hidden Services are simply websites on the Tor network. In order to do this, the Tor software has to be functional. 

I see that Roundcube uses a Dovecot installation. From looking through the source, it appears that Dovecot isn't actually installed by the Sandstorm grain, it's simply accessed. 

Yet, in a Github issues post, there is discussion of work that needs to be done for "device drivers" to support non HTTP protocols. 

Can you help clarify?

Of note, here is a simple Docker script to enable a Tor Hidden Service to function in a Docker container: https://github.com/patrickod/docker-tor-hidden-services

Here are the standard instructions for setting up a Tor Hidden Service: https://www.torproject.org/docs/tor-hidden-service.html.en

My end goal is for Sandstorm to be able to spin up Wordpress, Ghost, Mediagoblin, HackerCMS, etc and have it functioning at a .onion Tor address, and optionally at a regular HTTP address as well. 

If a user wishes to quit using the Sandstorm compatible web host, they can download their grain and run it on another service, or a local machine, and it would have all of the data, private key, and everything necessary to run the app locally.

Thanks!

PS... trying to get some developers and hackers together to contribute enough to qualify under the Corporate Sponsor level specifically for this use case. 

[Kenton Varda]

Hi Adam,

On Tue, Aug 19, 2014 at 9:50 PM, Adam Brown <ad...@deftnerd.com> wrote:

I see that Roundcube uses a Dovecot installation. From looking through the source, it appears that Dovecot isn't actually installed by the Sandstorm grain, it's simply accessed. 

Yet, in a Github issues post, there is discussion of work that needs to be done for "device drivers" to support non HTTP protocols. 

Can you help clarify?

Roundcube uses Dovecot internally as a hack. sandstorm-http-bridge (which most apps use to interpret the Sandstorm APIs) currently delivers mail in maildir format, but Roundcube wants to talk to an IMAP server. So we threw Dovecot in there as a thing that turns maildir into IMAP. It does not talk to the outside world at all.

The current hacky API for sending and receiving e-mail is documented here:

  https://github.com/sandstorm-io/sandstorm/wiki/Using-Email-From-Your-Sandstorm-App

We plan to replace this with the "device driver" approach in the future, but that first requires the Powerbox.

 

Of note, here is a simple Docker script to enable a Tor Hidden Service to function in a Docker container: https://github.com/patrickod/docker-tor-hidden-services

Here are the standard instructions for setting up a Tor Hidden Service: https://www.torproject.org/docs/tor-hidden-service.html.en

My end goal is for Sandstorm to be able to spin up Wordpress, Ghost, Mediagoblin, HackerCMS, etc and have it functioning at a .onion Tor address, and optionally at a regular HTTP address as well. 

There are two things here.

Wordpress, Ghost, and HackerCMS all have the ability to publish to a domain. Eventually, this ability will also be handled by a "device driver". At that point it would be very easy to write another device driver which exports the sites via Tor instead.

Mediagoblin currently does not support publishing to a domain; it can only be used through the Sandstorm shell. We actually want to add web publishing support eventually, but let's say for the moment that what you really want is to access the Sandstorm shell via Tor. It probably makes the most sense to accomplish this by running the Tor proxy in front of Sandstorm rather than inside it -- though I suppose one could imagine using a device driver (which has arbitrary network access after all) just to host a proxy that loops back to Sandstorm's frontend.

One big issue: Does the Tor protocol support WebSockets? Sandstorm won't work very well without them.

 

PS... trying to get some developers and hackers together to contribute enough to qualify under the Corporate Sponsor level specifically for this use case. 

That'd be amazing!

-Kenton